#1
  1. Beyond The Impossible
    ASP Adventurer (500 - 999 posts)

    Join Date
    Sep 2003
    Location
    Shawnee Mission, KS, USA
    Posts
    921
    Rep Power
    17

    ASP Classic: SHA1 hash


    This SHA1 hash function is written in JavaScript, but VBScript can call its functions. The main reason I prefer this one is it has a BSD license.

    Example:
    Code:
    <!-- #include file = "hex_sha1_js.asp" -->
    <%
    	Dim strPassWord, strHash
    	strPassWord = "abc"
    	strHash = hex_sha1(strPassWord)
    
    	Response.Write("<p><b>strPassWord:</b> " & strPassWord & "</p>")
    	Response.Write("<p><b>strHash:</b> " & strHash & "</p>")
    %>
    hex_sha1_js.asp
    Code:
    <script language="javascript" type="text/javascript" runat="server">
    /*
     * A JavaScript implementation of the Secure Hash Algorithm, SHA-1, as defined
     * in FIPS PUB 180-1
     * Version 2.1a Copyright Paul Johnston 2000 - 2002.
     * Other contributors: Greg Holt, Andrew Kepert, Ydnar, Lostinet
     * Distributed under the BSD License
     * See http://pajhome.org.uk/crypt/md5 for details.
     */
    
    /*
     * Configurable variables. You may need to tweak these to be compatible with
     * the server-side, but the defaults work in most cases.
     */
    var hexcase = 0;  /* hex output format. 0 - lowercase; 1 - uppercase        */
    var b64pad  = "="; /* base-64 pad character. "=" for strict RFC compliance   */
    var chrsz   = 8;  /* bits per input character. 8 - ASCII; 16 - Unicode      */
    
    /*
     * These are the functions you'll usually want to call
     * They take string arguments and return either hex or base-64 encoded strings
     */
    function hex_sha1(s){return binb2hex(core_sha1(str2binb(s),s.length * chrsz));}
    function b64_sha1(s){return binb2b64(core_sha1(str2binb(s),s.length * chrsz));}
    function str_sha1(s){return binb2str(core_sha1(str2binb(s),s.length * chrsz));}
    function hex_hmac_sha1(key, data){ return binb2hex(core_hmac_sha1(key, data));}
    function b64_hmac_sha1(key, data){ return binb2b64(core_hmac_sha1(key, data));}
    function str_hmac_sha1(key, data){ return binb2str(core_hmac_sha1(key, data));}
    
    /*
     * Perform a simple self-test to see if the VM is working
     */
    function sha1_vm_test()
    {
      return hex_sha1("abc") == "a9993e364706816aba3e25717850c26c9cd0d89d";
    }
    
    /*
     * Calculate the SHA-1 of an array of big-endian words, and a bit length
     */
    function core_sha1(x, len)
    {
      /* append padding */
      x[len >> 5] |= 0x80 << (24 - len % 32);
      x[((len + 64 >> 9) << 4) + 15] = len;
    
      var w = Array(80);
      var a =  1732584193;
      var b = -271733879;
      var c = -1732584194;
      var d =  271733878;
      var e = -1009589776;
    
      for(var i = 0; i < x.length; i += 16)
      {
        var olda = a;
        var oldb = b;
        var oldc = c;
        var oldd = d;
        var olde = e;
    
        for(var j = 0; j < 80; j++)
        {
          if(j < 16) w[j] = x[i + j];
          else w[j] = rol(w[j-3] ^ w[j-8] ^ w[j-14] ^ w[j-16], 1);
          var t = safe_add(safe_add(rol(a, 5), sha1_ft(j, b, c, d)),
                           safe_add(safe_add(e, w[j]), sha1_kt(j)));
          e = d;
          d = c;
          c = rol(b, 30);
          b = a;
          a = t;
        }
    
        a = safe_add(a, olda);
        b = safe_add(b, oldb);
        c = safe_add(c, oldc);
        d = safe_add(d, oldd);
        e = safe_add(e, olde);
      }
      return Array(a, b, c, d, e);
    
    }
    
    /*
     * Perform the appropriate triplet combination function for the current
     * iteration
     */
    function sha1_ft(t, b, c, d)
    {
      if(t < 20) return (b & c) | ((~b) & d);
      if(t < 40) return b ^ c ^ d;
      if(t < 60) return (b & c) | (b & d) | (c & d);
      return b ^ c ^ d;
    }
    
    /*
     * Determine the appropriate additive constant for the current iteration
     */
    function sha1_kt(t)
    {
      return (t < 20) ?  1518500249 : (t < 40) ?  1859775393 :
             (t < 60) ? -1894007588 : -899497514;
    }
    
    /*
     * Calculate the HMAC-SHA1 of a key and some data
     */
    function core_hmac_sha1(key, data)
    {
      var bkey = str2binb(key);
      if(bkey.length > 16) bkey = core_sha1(bkey, key.length * chrsz);
    
      var ipad = Array(16), opad = Array(16);
      for(var i = 0; i < 16; i++)
      {
        ipad[i] = bkey[i] ^ 0x36363636;
        opad[i] = bkey[i] ^ 0x5C5C5C5C;
      }
    
      var hash = core_sha1(ipad.concat(str2binb(data)), 512 + data.length * chrsz);
      return core_sha1(opad.concat(hash), 512 + 160);
    }
    
    /*
     * Add integers, wrapping at 2^32. This uses 16-bit operations internally
     * to work around bugs in some JS interpreters.
     */
    function safe_add(x, y)
    {
      var lsw = (x & 0xFFFF) + (y & 0xFFFF);
      var msw = (x >> 16) + (y >> 16) + (lsw >> 16);
      return (msw << 16) | (lsw & 0xFFFF);
    }
    
    /*
     * Bitwise rotate a 32-bit number to the left.
     */
    function rol(num, cnt)
    {
      return (num << cnt) | (num >>> (32 - cnt));
    }
    
    /*
     * Convert an 8-bit or 16-bit string to an array of big-endian words
     * In 8-bit function, characters >255 have their hi-byte silently ignored.
     */
    function str2binb(str)
    {
      var bin = Array();
      var mask = (1 << chrsz) - 1;
      for(var i = 0; i < str.length * chrsz; i += chrsz)
        bin[i>>5] |= (str.charCodeAt(i / chrsz) & mask) << (32 - chrsz - i%32);
      return bin;
    }
    
    /*
     * Convert an array of big-endian words to a string
     */
    function binb2str(bin)
    {
      var str = "";
      var mask = (1 << chrsz) - 1;
      for(var i = 0; i < bin.length * 32; i += chrsz)
        str += String.fromCharCode((bin[i>>5] >>> (32 - chrsz - i%32)) & mask);
      return str;
    }
    
    /*
     * Convert an array of big-endian words to a hex string.
     */
    function binb2hex(binarray)
    {
      var hex_tab = hexcase ? "0123456789ABCDEF" : "0123456789abcdef";
      var str = "";
      for(var i = 0; i < binarray.length * 4; i++)
      {
        str += hex_tab.charAt((binarray[i>>2] >> ((3 - i%4)*8+4)) & 0xF) +
               hex_tab.charAt((binarray[i>>2] >> ((3 - i%4)*8  )) & 0xF);
      }
      return str;
    }
    
    /*
     * Convert an array of big-endian words to a base-64 string
     */
    function binb2b64(binarray)
    {
      var tab = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
      var str = "";
      for(var i = 0; i < binarray.length * 4; i += 3)
      {
        var triplet = (((binarray[i   >> 2] >> 8 * (3 -  i   %4)) & 0xFF) << 16)
                    | (((binarray[i+1 >> 2] >> 8 * (3 - (i+1)%4)) & 0xFF) << 8 )
                    |  ((binarray[i+2 >> 2] >> 8 * (3 - (i+2)%4)) & 0xFF);
        for(var j = 0; j < 4; j++)
        {
          if(i * 8 + j * 6 > binarray.length * 32) str += b64pad;
          else str += tab.charAt((triplet >> 6*(3-j)) & 0x3F);
        }
      }
      return str;
    }
    </script>
    John Shepard
    Beyond The Impossible
    -----------------------------
    Has a post helped you? Please show your apprecitation by clicking the
    image in the right upper corner.
    Posting code? Put your code between &#91;code&#93; and &#91;/code&#93; tags.
    X-Login and X-Send
  2. #2
  3. Frustrated Wizard
    ASP Hero (2000 - 2499 posts)

    Join Date
    Apr 2005
    Posts
    2,419
    Rep Power
    24
    Thanks John...although i prefer the RC4 method as you suggested..thanks for contributing
  4. #3
  5. No Profile Picture
    Registered User
    ASP Explorer (0 - 99 posts)

    Join Date
    Feb 2006
    Posts
    1
    Rep Power
    0

    Exclamation Slight correction to the code provided


    Hi There,

    It is greatly appreciated that you have posted this sample code! Just one little thing to note. In the following line there are spaces that need to be removed for the code to function properly:

    var tab = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvw x yz0123456789+/";

    The 2 spaces between "x" and "y" need to be removed, otherwise the signature generated is incorrect.

    Just so you all know...

    Cheers!
  6. #4
  7. No Profile Picture
    Registered User
    ASP Explorer (0 - 99 posts)

    Join Date
    Mar 2007
    Posts
    4
    Rep Power
    0

    Can you have two password strings?


    Code:
    <%@Language=VBScript%>
    <%Response.Buffer = True%>
    
    
    <html>
    <body>
    
    <!-- #include file = "hex_sha1_js.asp" -->
    <%
    
    	set cnn = server.createobject("adodb.connection")
    	cnn.open application("dcgsOnline")
    
    	Dim strPassWord, strHash
    	strPassWord = "abc"
    	strHash = hex_sha1(strPassWord) <----- Type mismatch: 'hex_sha1'
    
    	Response.Write("<p><b>strPassword:</b> " & strPassword & "</p>")
    	Response.Write("<p><b>strHash:</b> " & strHash & "</p>")
    %>
    
    <%
    
    set cnn = server.createobject("adodb.connection")
    cnn.open application("xxxxXXXX")
    
    UserName = Replace(Trim(Request.Form("username")), "'", "''")
    PassWord = Replace(Trim(Request.Form("password")), "'", "''")
    
    If UserName = "" OR PassWord = "" Then Response.Redirect "error.asp" <--- Is this password conflicting with the first string password?
    
    SQL = "Select * From users"
    Set RS = cnn.Execute(SQL)
    
    While Not RS.EOF  
      If username = RS("username") And password = RS("password") Then
          Session("allow") = True
          Session("clearance") = RS("Clearance")
          Session("username") = RS("UserName")
          Session("user_id") = RS("user_id")
          Session("fname") = RS("fname")
          Session("lname") = RS("lname")
          Session("email") = RS("email")
          Session("cala") = RS("cala")
          Session("usc") = RS("usc")
    	  Session ("cipt") = RS ("cipt")
    	  Session ("board") = RS ("board")
    	  Session ("tande") = RS ("tande")
    	  Session ("foreignna") = RS ("foreignna")
    	  Session ("clearance") = RS ("clearance")
                  
          Level = RS("Clearance")
       End If
      RS.MoveNext
    Wend
    
     RS.Close
      cnn.Close
      Set RS = Nothing
      Set cnn = Nothing
    
    If Session("allow") = True Then
      If Level = 3 Then Response.Redirect "index.asp"
      If Level = 4 Then Response.Redirect "admin.asp"
    Else
      Response.Redirect "error.asp"
    End If
    
    %>
    TIA,

    Lori
  8. #5
  9. No Profile Picture
    Contributing User
    ASP Mastermind (5000+ posts)

    Join Date
    Aug 2005
    Location
    North East, UK
    Posts
    6,191
    Rep Power
    141
    What is your question/problem?
  10. #6
  11. No Profile Picture
    Registered User
    ASP Explorer (0 - 99 posts)

    Join Date
    Mar 2007
    Posts
    4
    Rep Power
    0
    How do I declare two password types in the same script - nvarchar and string?
  12. #7
  13. No Profile Picture
    Contributing User
    ASP Mastermind (5000+ posts)

    Join Date
    Aug 2005
    Location
    North East, UK
    Posts
    6,191
    Rep Power
    141
    Just call it twice
  14. #8
  15. No Profile Picture
    Registered User
    ASP Explorer (0 - 99 posts)

    Join Date
    Mar 2007
    Posts
    4
    Rep Power
    0
    How would I do that?
  16. #9
  17. No Profile Picture
    Contributing User
    ASP Mastermind (5000+ posts)

    Join Date
    Aug 2005
    Location
    North East, UK
    Posts
    6,191
    Rep Power
    141
    Sorry, i misread your previous post.
    How do I declare two password types in the same script - nvarchar and string?
    What do you mean?

    If you want to call different functions then create a new variable.

    Code:
    	Dim strPassWord, strHash
    	strPassWord = "abc"
    	strHash1 = hex_sha1(strPassWord)
    	strHash2 = str_sha1(strPassWord)
    
    	Response.Write("<p><b>strPassWord:</b> " & strPassWord & "</p>")
    	Response.Write("<p><b>strHash1:</b> " & strHash1 & "</p>")
    	Response.Write("<p><b>strHash2:</b> " & strHash2 & "</p>")
  18. #10
  19. No Profile Picture
    Registered User
    ASP Explorer (0 - 99 posts)

    Join Date
    Mar 2007
    Posts
    4
    Rep Power
    0

    Request Query String


    I forgot to add the 'request query string'

    Code:
    strPassWord = Request.QueryString("abc")
    strHash = Request.QueryString ("hex_sha1 strPassWord")
    It seems to run flawlessly (without type mismatch errors) now
  20. #11
  21. No Profile Picture
    Registered User
    ASP Explorer (0 - 99 posts)

    Join Date
    Mar 2009
    Location
    Omaha, NE
    Posts
    1
    Rep Power
    0

    SSHA passwords - suitable for LDAP


    I was looking for something to help change passwords in OpenLDAP, and the scripts above are definitely a piece to that puzzle. But, I wanted salted SHA passwords, so I made a few additions/changes to the scripts provided above, and I thought I'd share what I created yesterday.

    I took the output from the page, pasted into a test user's OpenLDAP password field, and then successfully authenticated against the new password field.

    Enjoy!

    -Scott

    Example:
    Code:
    <!-- #include file = "hex_sha1_js.asp" -->
    <%
    	Dim strPassWord, strHash, strSalt, strB64
    	
    	strPassWord = "abc"
    	strB64 = b64_sha1(strPassWord)
    
    	Response.Write("<p><b>strPassWord:</b> " & strPassWord & "<br>")
    	Response.Write("<b>sha:</b> " & strB64 & "<br>")
    
    	strB64 = b64_ssha(strPassWord)
    	Response.Write("{SSHA}" & strB64 & "<br></p>")
    
    %>
    hex_sha1_js.asp
    Code:
    <script language="javascript" type="text/javascript" runat="server">
    /*
     * A JavaScript implementation of the Secure Hash Algorithm, SHA-1, as defined
     * in FIPS PUB 180-1
     * Version 2.1a Copyright Paul Johnston 2000 - 2002.
     * Other contributors: Greg Holt, Andrew Kepert, Ydnar, Lostinet
     * Distributed under the BSD License
     * See http://pajhome.org.uk/crypt/md5 for details.
     */
    
    /*
     * Configurable variables. You may need to tweak these to be compatible with
     * the server-side, but the defaults work in most cases.
     */
    var hexcase = 0;  /* hex output format. 0 - lowercase; 1 - uppercase        */
    var b64pad  = "="; /* base-64 pad character. "=" for strict RFC compliance   */
    var chrsz   = 8;  /* bits per input character. 8 - ASCII; 16 - Unicode      */
    
    /*
     * These are the functions you'll usually want to call
     * They take string arguments and return either hex or base-64 encoded strings
     */
    function get_sha1_hash(s) { return core_sha1(str2binb(s),s.length * chrsz); }
    
    function hex_sha1(s){return binb2hex(get_sha1_hash(s));}
    function b64_sha1(s){return binb2b64(get_sha1_hash(s));}
    function str_sha1(s){return binb2str(get_sha1_hash(s));}
    
    function create_random_salt(d) {
    	// Salts of 4, 8, 12, 16 etc. seem to work just fine in LDAP.
    	// There's probably an upper limit, but I didn't look for that...
    	if (typeof d == "undefined") {  //if d isn't specified, make it 4
    		d = 4;
    	}
    
    	//If a number is not a multiple of 4, make it a multiple of 4
    	if(d % 4 != 0) {  
    		d-=(d%4);
    	}
    
    	//To create the salt, we're taking the raw string sha1 hash of the string
    	//representation of the random number returned by Math.random()
    	//note that this creates salts that include unprintable characters...
    	buglystr=binb2str(get_sha1_hash("0"+Math.random()));
    	return buglystr.substring(0,d);
    }
    
    function b64_ssha(s){
    	t = create_random_salt();
    	saltedpass=s + t;
    	hashstr = binb2str(get_sha1_hash(saltedpass)) + t;
    	return binb2b64(str2binb(hashstr));
    }
    
    function hex_hmac_sha1(key, data){ return binb2hex(core_hmac_sha1(key, data));}
    function b64_hmac_sha1(key, data){ return binb2b64(core_hmac_sha1(key, data));}
    function str_hmac_sha1(key, data){ return binb2str(core_hmac_sha1(key, data));}
    
    /*
     * Perform a simple self-test to see if the VM is working
     */
    function sha1_vm_test()
    {
      return hex_sha1("abc") == "a9993e364706816aba3e25717850c26c9cd0d89d";
    }
    
    /*
     * Calculate the SHA-1 of an array of big-endian words, and a bit length
     */
    function core_sha1(x, len)
    {
      /* append padding */
      x[len >> 5] |= 0x80 << (24 - len % 32);
      x[((len + 64 >> 9) << 4) + 15] = len;
    
      var w = Array(80);
      var a =  1732584193;
      var b = -271733879;
      var c = -1732584194;
      var d =  271733878;
      var e = -1009589776;
    
      for(var i = 0; i < x.length; i += 16)
      {
        var olda = a;
        var oldb = b;
        var oldc = c;
        var oldd = d;
        var olde = e;
    
        for(var j = 0; j < 80; j++)
        {
          if(j < 16) w[j] = x[i + j];
          else w[j] = rol(w[j-3] ^ w[j-8] ^ w[j-14] ^ w[j-16], 1);
          var t = safe_add(safe_add(rol(a, 5), sha1_ft(j, b, c, d)),
                           safe_add(safe_add(e, w[j]), sha1_kt(j)));
          e = d;
          d = c;
          c = rol(b, 30);
          b = a;
          a = t;
        }
    
        a = safe_add(a, olda);
        b = safe_add(b, oldb);
        c = safe_add(c, oldc);
        d = safe_add(d, oldd);
        e = safe_add(e, olde);
      }
      return Array(a, b, c, d, e);
    
    }
    
    /*
     * Perform the appropriate triplet combination function for the current
     * iteration
     */
    function sha1_ft(t, b, c, d)
    {
      if(t < 20) return (b & c) | ((~b) & d);
      if(t < 40) return b ^ c ^ d;
      if(t < 60) return (b & c) | (b & d) | (c & d);
      return b ^ c ^ d;
    }
    
    /*
     * Determine the appropriate additive constant for the current iteration
     */
    function sha1_kt(t)
    {
      return (t < 20) ?  1518500249 : (t < 40) ?  1859775393 :
             (t < 60) ? -1894007588 : -899497514;
    }
    
    /*
     * Calculate the HMAC-SHA1 of a key and some data
     */
    function core_hmac_sha1(key, data)
    {
      var bkey = str2binb(key);
      if(bkey.length > 16) bkey = core_sha1(bkey, key.length * chrsz);
    
      var ipad = Array(16), opad = Array(16);
      for(var i = 0; i < 16; i++)
      {
        ipad[i] = bkey[i] ^ 0x36363636;
        opad[i] = bkey[i] ^ 0x5C5C5C5C;
      }
    
      var hash = core_sha1(ipad.concat(str2binb(data)), 512 + data.length * chrsz);
      return core_sha1(opad.concat(hash), 512 + 160);
    }
    
    /*
     * Add integers, wrapping at 2^32. This uses 16-bit operations internally
     * to work around bugs in some JS interpreters.
     */
    function safe_add(x, y)
    {
      var lsw = (x & 0xFFFF) + (y & 0xFFFF);
      var msw = (x >> 16) + (y >> 16) + (lsw >> 16);
      return (msw << 16) | (lsw & 0xFFFF);
    }
    
    /*
     * Bitwise rotate a 32-bit number to the left.
     */
    function rol(num, cnt)
    {
      return (num << cnt) | (num >>> (32 - cnt));
    }
    
    /*
     * Convert an 8-bit or 16-bit string to an array of big-endian words
     * In 8-bit function, characters >255 have their hi-byte silently ignored.
     */
    function str2binb(str)
    {
      var bin = Array();
      var mask = (1 << chrsz) - 1;
      for(var i = 0; i < str.length * chrsz; i += chrsz)
        bin[i>>5] |= (str.charCodeAt(i / chrsz) & mask) << (32 - chrsz - i%32);
      return bin;
    }
    
    /*
     * Convert an array of big-endian words to a string
     */
    function binb2str(bin)
    {
      var str = "";
      var mask = (1 << chrsz) - 1;
      for(var i = 0; i < bin.length * 32; i += chrsz)
        str += String.fromCharCode((bin[i>>5] >>> (32 - chrsz - i%32)) & mask);
      return str;
    }
    
    /*
     * Convert an array of big-endian words to a hex string.
     */
    function binb2hex(binarray)
    {
      var hex_tab = hexcase ? "0123456789ABCDEF" : "0123456789abcdef";
      var str = "";
      for(var i = 0; i < binarray.length * 4; i++)
      {
        str += hex_tab.charAt((binarray[i>>2] >> ((3 - i%4)*8+4)) & 0xF) +
               hex_tab.charAt((binarray[i>>2] >> ((3 - i%4)*8  )) & 0xF);
      }
      return str;
    }
    
    /*
     * Convert an array of big-endian words to a base-64 string
     */
    function binb2b64(binarray)
    {
    //Split this line to keep the forum from adding spaces inappropriately.
      var tab = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"+
    "abcdefghijklmnopqrstuvwxyz"+
    "0123456789+/";
      var str = "";
      for(var i = 0; i < binarray.length * 4; i += 3)
      {
        var triplet = (((binarray[i   >> 2] >> 8 * (3 -  i   %4)) & 0xFF) << 16)
                    | (((binarray[i+1 >> 2] >> 8 * (3 - (i+1)%4)) & 0xFF) << 8 )
                    |  ((binarray[i+2 >> 2] >> 8 * (3 - (i+2)%4)) & 0xFF);
        for(var j = 0; j < 4; j++)
        {
          if(i * 8 + j * 6 > binarray.length * 32) str += b64pad;
          else str += tab.charAt((triplet >> 6*(3-j)) & 0x3F);
        }
      }
      return str;
    }
    </script>

Similar Threads

  1. MD5 hash
    By noodle_snacks in forum ASP Development
    Replies: 14
    Last Post: September 28th, 2007, 10:54 AM
  2. ASP Classic: MD5 hash
    By freeasphelp in forum Code Bank
    Replies: 6
    Last Post: April 11th, 2007, 06:48 AM
  3. How to save Hash Value on the SQL Server?
    By shomer in forum .NET Development
    Replies: 1
    Last Post: April 28th, 2005, 08:22 AM
  4. How can use my exists .aspx or .ascx file in classic asp?
    By mr_dotnet in forum .NET Development
    Replies: 2
    Last Post: September 24th, 2004, 06:53 AM
  5. How to call a .NET Web Services from a ASP Classic application
    By Steve Schofield in forum .NET Development
    Replies: 1
    Last Post: December 2nd, 2003, 04:36 AM

IMN logo majestic logo threadwatch logo seochat tools logo